aws_iam_access_key should probably specify "create_before_destroy"

[if-jeremy]

In moudles/infrastructure/permissions/iam_user, a new IAM user is created, and a new access key pair for that user is also created.

AWS best practices currently are to rotate access keys every 90 days. Currently, the only clean way I can see to rotate this access key is to "terraform taint" the resource, and re-apply the template, resulting in deletion and re-creation of the access key, and subsequest update of the cloud-connector helm template.

However, as currently written, this would result in deleting the old key before creating the new key, which could cause an access denied message to cloud-connector while this is in progress. However, by specifying the "create_before_destroy" option for the access key, the new access key should be created, the helm template should be updated, and only then would the old key be deleted.

Is there another, cleaner way of rotating this access key that I'm missing? If not, I think create_before_destroy should be set on this resource.

[wideawakening]

sup @if-jeremy!

is there another, cleaner way of rotating this access key that I'm missing?

AFAIK no :/
documented about this with the module README

if not, I think create_before_destroy should be set on this resource

sure, added. don't think the disruption is critical though, but it's better like this indeed. thx for the suggestion!